Information Security Governance – Telecommunication Industry

Last year, i’ve been thinking of writting this, but not much forum that discussed about regulations requirements for security governance for Telecommunication industry.

Telecommunication (Telecom) Industry in the Philippines and rest of the world has gone through dramatic transformation and significant expansion. In the advent of smartphones and tablets, industry has committed to remain on the fast growth path exploring new opportunities. The data services have become the main driver for the industry with limitless opportunities with increasing demand of internet connection and broadband (3G/4G) adaption. With demand of social networking, and other data services Telecom industry has evolved significantly over the past ten years and during this period there has been an increased requirement to have robust information security governance.

Figure 1- Wireless growth qorldwide

Background

Telecommunication networks are today an inseparable part of social interaction and critical worldwide infrastructure. Protecting these networks from malicious attacks, that could lead to unavailability or loss of integrity and confidentiality of network services, applications, and critical business systems are thus an important aspect that cannot be ignored. An effective and robust security programme should be implemented to protect telecommunication networks from such attacks.

Traditionally, the old Public Switched Telephone Network (PSTN) has been the dominant type of public Telecommunications (telecom) network worldwide, and consists of telephone lines, fibre optic cables, microwave transmission links, communication satellites and undersea telephone cables.

The advent of cellular technologies led to the interconnection of the mobile phone (cellular) networks with PSTN. The PSTN was based on circuit-switched technology, which had been primarily developed for voice traffic. Technologies developed for data transmission like PSDN, ISDN, Dial-up, DSL and others also leverage the existing PSTN infrastructure. Due to the growing demand for data and video services and the limitations of the circuit-switched technology, telecom operators worldwide find it economically prohibitive to expand their circuit-switched networks to such meet demand. This has led to a gradual move towards the adoption of packet-based switching technology.

The birth of GSM (2G, 3G and 4G) mobile phone systems like GPRS, EDGE and HSPA that are designed for data transmissions are also based on packet-based switching technology. The term, Next Generation Network (NGN), is generally used to refer to these packet-based networks that transport all information and services – data, voice and media like videos. NGNs are most commonly based on the Internet Protocol (IP). NGN is expected to reshape the current structure of the telecom system and access to the Internet.

Network Components

Today’s telecom networks are a combination of several technologies – PSTN, 2G, 3G – that have evolved over a period of time. Generally speaking, the current telecom network comprises the following parts:

Access Network – This is the part of the network that connects the telecommunication equipment – fixed or mobile – to the core network for provision of services. This includes the local loop (telephone cables/fiber optic) of the fixed networks and the radio links in a mobile network, the radio towers, base stations and controllers.

Core Network – This consists of the network elements responsible for service delivery and setting up of the end-to-end connection and handovers, and may be classified into circuit-switched and packet-switched domains. The core network includes components such as switches, the Mobile Switching Centre (MSC), the Host Location Register (HLR), the Visitor Location Register, and the Authentication Centre.

Application and Management Network – This consists of end-user application servers, and systems and services that support the operation, administration and maintenance functions of the network.

Internal Network – This is the telecom operator’s internal network. This includes systems used by the operator’s employees.

External Network – This is the externally visible network, typically deployed in the De-Militarized Zone (DMZ). This includes the Web servers, application servers and mail servers that are hosted by the telecom operator.

Security Challenges

The structure and functioning of circuit-switched PSTN networks, traditionally controlled by the telecom operators, ensured fewer possibilities for misuse of the network, as compared to a packet-switched network based on an open protocol like the Internet Protocol (IP). However, the PSTN networks are increasingly being controlled and are dependent on software and on the operations networks. As a result, users now have greater access to functions that were previously restricted to telecom employees. This exposes the network to intruders and increases the potential for attacks caused by virus, worms and malicious software. GSM, which is a widely used mobile phone system, implements several security mechanisms designed to protect confidentiality over radio interfaces, subscriber authentication, subscriber anonymity to external parties, and prevent the use of stolen terminals . However, a speech call made between two GSM operator networks or between a GSM phone and a fixed phone traverses the fixed network, and is subject to the same security considerations in speech and signaling as for a fixed network. CDMA mobile networks are also exposed to the same threats and attack vectors as a GSM network.

Packet-based switching technology used in Next Generation Networks is usually implemented through the use of the Internet Protocol (IP) suite. The IP was based on open standards and not originally designed for security implementations. The weaknesses in the IP have been exploited since long, and add to the risks of adopting an IP-based network.

Both the traditional circuit-switched networks and the packet-based next generation networks are exposed to different threats and attacks – both from external and internal sources – that target the various parts of the telecom network. These attacks may be targeted at any part of the telecom network, including the radio path of the access network. Attacks on one telecom operator’s network could also spread to multiple networks over the interconnection interfaces.

Challenges in meeting security requirements

Vast spread of telecom network – Telecom network comprising of equipments from various vendors and spread across the country they operate. As customers demands for more services, telecom equipments ever expanding network. Most often than not lack of clear visibility on equipments deployed and thus there security implications.

Business Driver — In ever changing technology and business architecture, as newer business requirements and new services technology often change to meet the customers demand thus increased the network architecture complexity.

Third-Party Management – Different services providers across zones, network equipments deployed by vendors mostly proprietary in nature. Unaware of all vulnerabilities due to uniqueness of these equipments.

High Cost of Implementation – Cost associated with security audit of all network equipments and cost for assessments across networks due to non-standardization across equipments. Cost of maintaining records of all calls & data for 12 months.

Tampering, destruction or theft of information and equipment, illegal tapping and interception of the network traffic

Interception of voice traffic or signaling system in PSTN networks due to absence of encryption for speech channels and inadequate authentication, integrity and confidentiality for the messages transmitted over the signaling system (which is based on the ITU-T SS7 specification)

Unauthorized access to telecom network traffic

Use of modified mobile stations to exploit weaknesses in the authentication of messages received over the radio interface

Spoofing of user de-registration and location update requests, leading to unreliable service/disruption

Use of modified base stations to entice users to attach to it

Denial of service, interception of traffic

Misuse of the lawful interception mechanism

Illegal tapping/interception of telecom network traffic

Compromise of the AuC or SIM used for storing the shared secret for the challenge-response mechanism

Identity theft (intruders masquerading as legitimate users)

Deployment of malicious applications on devices with always-on capabilities like smart phones and tablets

Use of these compromised devices target the operator’s network (for example, by setting up botnets to carry out DDoS attacks)

Intrusions into the operations networks

Unauthorized changes to the users’ service profiles, billing and routing systems, resulting in toll fraud and unreliable service

Compromises of network databases containing customer information

Unauthorized access to personal and confidential data

Masquerading as authorized users, by gaining access to their credentials by means of malware, hacking tools, social engineering tools or other means

Gain unauthorized access or greater privileges to the network systems, which can then be used to launch other attacks

Traffic analysis – observing the calling and called numbers, and the frequency and length of the calls

Inference of activities that can be used against the Telecom or customers

Social engineering attacks on operator employees

Unauthorized access to confidential information

Consequences for operators who fail to adequately protect their networks include:

Financial loss

Loss of reputation for the operators in the industry

Loss of customer confidence

Legal action and fines from regulatory bodies for failure to provide secure services

Apart from these, the weaknesses in the telecom networks may also be exploited by criminal elements and terrorist organizations for their own benefit by intercepting communications, causing denial of service during terror strikes and also using it as a platform to launch attacks.

Needs of Information Security Governance

The imports of telecom equipment from other countries that are antagonistic to a state’s strategic interests may lead to supply chain contamination by means of embedded logic bombs and malware. The dependence on telecommunication networks and the critical role that they play in the economic growth of a country has led to government regulations (if any) in the telecom industry, which include requirements for ensuring the security of the telecom equipment, networks and customer information.

The interconnection of the PSTN networks of fixed and mobile phone systems and the next generation network has increased the attack surface of the telecom networks. The wide range of end-user devices that can now connect to the telecom networks has added to the complexity of the networks, thereby increasing the risks and vulnerabilities as well.

As noted, the consequences of not implementing adequate security measures to deal with these could be heavy and desastrous to business.

Several international standard development organizations like ITU, ISO/IEC, 3GPP, 3GPP2 and ETSI have prescribed standards that are applicable to telecom networks. Also, many countries have legislations and regulations that the telecom operators must comply with, which may require the adoption of specific security standards.

Telecom operators should adopt a robust, managed security programme to ensure that their networks are protected against malicious attacks, both external and internal, while also ensuring compliance to the local regulatory environment. This requires a holistic approach to implementing security measures, based on globally accepted security standards and best practices.

A multi-pronged approach to security should be adopted by telecom operators to address the current and future security challenges. Industry-recognized standards, best practices and technologies must be adopted to build a robust security programme. In addition, all applicable legal and regulatory requirements should also be considered.

Adopting Information Security Framework

Organizations develop and implement security policies and procedures to address the security requirements for their environment. However, to be effective, these policies and procedures should be tightly coupled, and supported by industry-accepted guidelines, standards and best practices. There also should be a risk-based approach while developing these policies to ensure that the security measures are adequate to the address the perceived business risks.

Several IT Frameworks available today, like COSO, COBIT, ITIL, ISO27001 and others, can be adopted to formulate a security programme. The ISO 27001:2005 standard is one of the most widely accepted security standards across industries. This provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). For the telecom industry, this is further supported by ISO 27011:2008, which provides guidelines on information security management for telecommunication networks (jointly developed along with ITU-T).

The ISO 27001 standard is based on the Plan-Do-Check-Act (PDCA) model, which is applied to all ISMS processes. This PDCA model ensures that there is a continued focus on the security programme, and that it is not a one-time activity.

According to Wikipedia, “Governance” relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.

If you have real world experience implementing security governance practices in an organization, the thought might have come to you; “There has to be an easier way? Why is this so hard?” So in the interests of some chuckles for the experienced, and enlightenment for those new to governance, here are some common “bright ideas” and their real world implementation.

Security policy and compliance

Developing security policy, standards, guidelines and procedures is easy, indeed, just identify the compliance requirements (if any) and align them to the business operations in the form of mission statements. Now try getting it endorsed! You will have to wrangle grammar via committees or focus groups— and beware of “watering down” the mission and vision statement so far they become useless—and then manage expectations of performing in-depth analysis on the cost/impact of implementing the standards.

Once that battle has been fought comes implementation. How do you assign the statements to stakeholders in order to implement them throughout the organization? Only once you have informed all the stakeholders sufficiently of their obligations (e.g. due care and due diligence), and they have implemented appropriate controls. If you start by doing a wide ranging gap analysis before implementation, you may just put everyone offside from the beginning. You need to post a speed limit before you get out the radar gun!

Identify all of the information assets, the associated risks, values, and effective security controls!

The risk-based rather than compliance-based approach! Maybe you can find a list of all the servers and network devices in your organization? But I challenge you to find an accurate database of which applications are hosted on that infrastructure. It always is claimed to be in a “CMDB” or similar, but when you go looking for it, it’s nowhere to be found. So what are the contents of each database? Is there data shared between databases/applications? And here’s the real challenge—try and find and identify all of the access databases, spreadsheets and word documents scattered across multiple file shares/servers and document management systems. It’s likely that some of the most sensitive information in your organization is sitting in your executives’ voicemail, or their inbox, or My Documents folder.

It’s likely you’ll need to drop some serious coin on a discovery activity using Data Leakage Prevention technology to be able to even get a picture of what data your organization is working with. A good first step is putting in place a data classification scheme and a mandatory requirement for data classification of new documents—perhaps in your main document management system. Then uplift the security controls on your document management system, use your “knowledge management team” to educate personnel to store all of their documents in it.

How often is the main business process responsible for all of the company’s profit documented? Almost never, unless the organization is heavily regulated (i.e. privacy law, data protection act and etc.). (Note the distinction made between revenue and profit. You can lose revenue and survive through some “right-sizing”, but if you lose profit you’re dead in the water.)

If your organization has undertaken a very involved modern business continuity program (BCP) you will have one of the best building blocks for a strategic security program already in place. A modern BCP program will identify key business processes and their importance to the organization by documenting agreed recovery requirements. A BCP program is a good start for an information security program, but don’t neglect non-critical business processes that deal with a lot of personally identifiable information or that may have a reputational impact.

Good Project Management Practice

What defines a project? Does your organization have a Project Management Office (PMO)? If not, how are you sure that you have captured all of the “formal projects” across your business? The next challenge after this is the volume of projects, how can you sort the risky projects from the safe-to-ignore ones?

Looking at projects in detail, you may discover that the vast majority of required security controls are not implemented in a project, but inherited from the existing environment. The more advanced your security program is, the more security controls will be inherited.

A good start is to require project managers to complete a risk assessment on security governance’s behalf, pushing the responsibility to them to engage with security governance if they have a high risk project. Another good step is to produce a methodology for quickly providing architects with relevant security controls they need to directly address in their design documents (e.g. use of a central identity management system) and key existing security controls they need to consider and integrate with (e.g. firewall rules).

CMM can be use to determine the maturity of Information Security Governance in Telecom organizations. The rationale for using these standards and verification through CMM is to establish the notion of maturity, how well organizations are doing in adopting national and international standards and where they stand in terms of compliance. To determine the maturity of the organizations capability to deploy its Information Security and Risk Management Strategy (ISRM) successfully we have used CMM (Capability Maturity Model) (Paulk et. Al 1995). CMM is a tool developed by the Software Engineering Institute (SEI) at Carnegie Mellon University.

Capability Maturity Model

Maturity

Level

0

Non-existent, intent and not identified Controls not presentNot implemented

1

Initial, undefined and ad-hoc Not officially assigned to an individualNot documentedNot monitored

Managed, controlled and measureable Controls are audited and testedStandards in place and followedOperate within recognized processes

5

Optimal, optimizing and business alignedControls are included in regular audit and assessmentMonitored and measuredComplete control quality assurance

Control Objectives for Information and Related Technologies (CobiT) is created by the IT Governance Institute (ITGI) which is part of the Information Systems Audit and Control Association (ISACA). ISACA is the professional body of IT auditing Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications. There are 34 IT processes organised in four inter related domains in CobiT framework. Table 1 describes the four CobiT domains and number of processes in each domain. CobiT focuses specifically on controlling the entire IT function.

Table 1: CobiT domains

CobiT domains

Description

Planning and organisation (PO)(10 processes)

This domain covers strategy and tactics concerning the identification of ways IT can best contribute towards achievement of the business objectives.

Acquisition and implementation (AI)(7 processes)

This domain concerns the acquisition and implementation of IT strategies and IT solutions.

ISO/IEC 27000 or ISO 27K is a series of standards for information security developed and being developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The first standard in the series was called ISO/IEC 17799. When it was decided to have all security standards begin with 27000, this standard was renamed to ISO/IEC 27002. In 2005, ISO/IEC 27001 was released to specify how to certify organizations as being compliant with ISO/IEC 27002. ISO/IEC 27002 divides security into 11 broad areas:

This ISMS implementation guide for the telecomms industry was developed by ITU-T and ISO/IEC JTC1/SC27 and published jointly as both ITU-T X.1051 and ISO/IEC 27011.

ITU-T Recommendation X.1051 Information security management system – Requirements for telecommunications (ISMS-T) was originally published in English in July 2004, followed by Spanish, French and Russian translations in 2005. It is based on the ISMS standards extant at that time i.e.:

“For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly and successfully continue their business activities, information security management is extremely necessary. This Recommendation provides the requirements on information security management for telecommunications organizations.

This Recommendation specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the telecommunication’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual telecommunications or parts thereof.”

ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:

Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);

The scope of this international standard is to define guidelines supporting the implementation of information security management (ISM) in telecommunications organizations.

Security policy

Organization of information security

Asset management

Human resources security

Physical and environmental security

Communications and operations management

Access control

Information systems acquisition, development and maintenance

Information security incident management

Business continuity management

Compliance

The adoption of this international standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

ISO/IEC 27011:2008 establishes guidelines and general principles for initiating, implementing, maintaining, and improving ISM in telecommunications organizations based on ISO/IEC 27002.

ISO/IEC 27011 now includes a telecommunications extended control set which provides new controls and implementation guidance for a telecommunications organization. This has been included in two new annexes.

This standards provides an implementation baseline of ISM within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services.

Telecommunications organizations that implement ISO/IEC 27011 both within and between jurisdictions will:

Be able to assure the confidentiality, integrity and availability of the global telecommunications facilities and services,

Have adopted secure collaborative processes and controls ensuring the lowering of risks in the delivery of telecommunications services,

Provides telecommunications organizations with a common set of general security control objectives based on ISO/IEC 27002, telecommunications sector specific controls, and information security management guidelines allowing for the selection and implementation of such controls. Leading to a higher level of information security within the organization if used.

Use of this standard by telecommunications organizations will increase public trust, leading to an increase in business and profits.

The implementation of ISMS policies and processes should be supported by a security infrastructure that includes multiple security layers. This “Defense in Depth” approach ensures that the compromise of one security layer alone does not expose the network to attacks.

Some of the security measures that can be deployed across the various layers are:

Interference and tamper-proof cabling infrastructure

Security guards and CCTV monitoring for operator premise perimeters

Physical access control mechanisms like smartcard and biometric readers

Firewalls at the network perimeter and DMZ for publicly accessible systems

Encryption and data masking techniques for both data at rest and transit

Security awareness

Perform or Conducting Security Testing

Maintaining a consistent security posture across an organization’s network in the face of the ever changing nature of information security is a complex and time consuming task. Periodic security testing plays a vital role in assessing and enhancing the security of networks.

Vulnerability Assessment

Telecommunication networks are likely to have a heterogeneous mix of equipment from various suppliers. A highly credible, trusted third party certification programme must be in place to conduct an assessment to identify and evaluate security weaknesses and vulnerabilities contained in equipment software, firmware and hardware implementations. Certification of the supplier products against the Common Criteria Specifications (ISO 15408) ensures this at the component level.

With a large number of vulnerabilities and an increasing number of attacks exploiting them being reported across technology platforms, it is becoming difficult to ensure that the critical elements of a telecommunications network are not vulnerable to these attacks.

Vulnerability assessment can be used to:

Identify vulnerabilities

Report and assess the vulnerability and its overall consequence

Recommend mitigation strategies (safeguards or alternatives)

Ensure that organizational security policies are met by auditing the system configurations

Provide input into the incident handling process

Fuzz Testing

While vulnerability assessments can help identify and mitigate known vulnerabilities, it cannot be used to protect against exploitation of unknown vulnerabilities that are likely in complex networks like telecom networks. A methodology that is now being used to address these unknown vulnerabilities is Fuzz Testing, which is a form of attack simulation where abnormal inputs are used to trigger vulnerabilities. One approach is model-based fuzzing, which uses protocol specifications to target tests at protocol areas most susceptible to vulnerabilities.

Another approach, traffic capture fuzzing, uses traffic captures to create the fuzzers used for testing.

Radio Access Path Security Testing

An aspect of security testing that is unique to a telecommunications network is the testing of the radio access network. By and large, the approach to testing radio nodes is based on custom test scenarios that are in turn based on the characteristics of individual radio nodes. The primary tools in use are a modified Mobile Station (MS) and the custom radio traffic injection scripts. In order to protect the privacy of subscribers’ information during the security tests, it is recommended that a second test device (an unmodified MS) is used as the primary target for the attacks where possible. The tests should be designed to prevent legitimate subscribers from associating with the modified equipment being used, and also to ensure that there is no service disruption.

Penetration Testing

Penetration testing supplements the vulnerability assessment activities by taking “the last step” and actually exploiting these vulnerabilities to compromise and gain access to the target systems, and not just report potential vulnerabilities. Penetration testing provides the “hacker’s” perspective inside and outside the network perimeter. Security testing specialists attempt to infiltrate the client’s network, systems and applications using not only common technologies and techniques, but also specialized tools and some unexpected methods, such as combined techniques (“multi-vector” attacks). The result is a detailed report identifying key vulnerabilities and suggested protection tactics – an action plan to improve the organization’s security posture.

Conducting Network Security Audits

Network security audits can be conducted to discover, assess, test and report the existing security infrastructure implementations. Network security audits should be based on internationally accepted standards and frameworks like ISO 27001 and COBIT.

A methodology for network security audits, consisting of four distinct phases:

Scope and Plan – This involves defining the audit objective, determining the audit scope, understanding the business risks and defining the project plan.

Information Gathering – This is gathering the information about the security policies, processes and security controls that have been implemented, and also the industry best practices, standards and guidelines that are applicable.

Assessment – This is performed to discover the vulnerabilities existing in the system. The impact of any discovered vulnerability on the telecom operator business is used to determine a risk rating.

Documentation – This includes the analysis and reporting of data and test results. The report documents the results and findings of the security assessment and includes a discussion of the risk analysis arising from the assessment, implications to the telecom operator’s systems and networks and recommendations for improving the security position of the operator’s applications, systems and networks.

These areas are subdivided into many more specific elements. ISO/IEC is working on a number of other standards for the 27000 series.

ISO/SEC27K series

Description

ISO/IEC 27001:2005

is the information security management system (ISMS) requirements standardISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives

ISO/IEC 27003

provides implementation guidance for ISO/IEC 27001

ISO/IEC 27004

is an information security management measurement standards suggesting metrics to help improve the effectiveness of ISMS

ISO/IEC 27005:2008

is an information security risk management standard

ISO/IEC 27006:2007

is a guide to the certification or registration process for accredited ISMS certification or registration bodies

ISO/IEC 27007

will be a guideline for auditing information security management systems

ISO/IEC 27008

will provide guidance on auditing information security controls

ISO/IEC 27010

will provide guidance on information security management for sector-to-sector communications

ISO/IEC 27011:2008

is the information security management guideline for telecommunications organizations

ISO/IEC 27013

will provide guidance on the integrated implementation of ISO/IEC 20000-1

This survey is part of a study being conducted at Charles Sturt University to determine maturity level of IT Security Governance in Australian organizations. All responses and data collected are highly confidential. At no stage this data will be used other than the above mentioned purpose. (Please tick the boxes and/or write your response wherever applicable)

Right now it’s difficult to ascertain this information in telecom industry. One of the challenge obtaining maturity benchmark in telecom industry is lack of regulatory compliance. Most telecoms does not report compliance or security posture. Try http://www.etis.org/